Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
_!SHMSFTHISTORY!_ mutex
1,240 views
Skip to first unread message
jwf
Mar 8, 2015, 4:30:02 PM3/8/15
to
hello all,
found this on a windows 7 computer and cannot find anything saying what it is used for.
_!SHMSFTHISTORY!_
googling this mutex pulls back a ton of references to various malware, backdoors, trojans, etc.
I have checked a couple of windows 7 x64 computers, including one that was freshly installed and updated to sp1 about a week ago and i see this mutex. additionally i found this mutex as well:
_SHuassist.mtx
does anyone know if there is a legitimate reason that a computer would have the following mutexes or are they exclusively used by malware?
found this on a windows 7 computer and cannot find anything saying what it is used for.
_!SHMSFTHISTORY!_
googling this mutex pulls back a ton of references to various malware, backdoors, trojans, etc.
I have checked a couple of windows 7 x64 computers, including one that was freshly installed and updated to sp1 about a week ago and i see this mutex. additionally i found this mutex as well:
_SHuassist.mtx
does anyone know if there is a legitimate reason that a computer would have the following mutexes or are they exclusively used by malware?
Ant
Mar 9, 2015, 11:38:00 AM3/9/15
to
"jwf" wrote:
> found this on a windows 7 computer and cannot find anything saying
> what it is used for.
>
> _!SHMSFTHISTORY!_
Why were you looking for it and how did you find it?
> found this on a windows 7 computer and cannot find anything saying
> what it is used for.
>
> _!SHMSFTHISTORY!_
> googling this mutex pulls back a ton of references to various
> malware, backdoors, trojans, etc.
signs of malware is that creation or access of various Windows objects
(like mutants in this example) are sometimes a side effect of running
the executable. i.e. they are created by Windows components such as
the shell document library (as appears to be the case here).
> I have checked a couple of windows 7 x64 computers, including one
> that was freshly installed and updated to sp1 about a week ago and i
> see this mutex. additionally i found this mutex as well:
>
> _SHuassist.mtx
the system?
> does anyone know if there is a legitimate reason that a computer
> would have the following mutexes or are they exclusively used by
> malware?
programs like explorer.exe (the GUI), Internet Explorer and Outlook
Express. Another one you might see is _!MSFTHISTORY!_ (without the
"SH" part).
jwf
Mar 9, 2015, 8:16:59 PM3/9/15
to
On Monday, March 9, 2015 at 11:38:00 AM UTC-4, Ant wrote:
> "jwf" wrote:
>
> > found this on a windows 7 computer and cannot find anything saying
> > what it is used for.
> >
> > _!SHMSFTHISTORY!_
>
> Why were you looking for it and how did you find it?
found it in a memory image during forensics analysis
> "jwf" wrote:
>
> > found this on a windows 7 computer and cannot find anything saying
> > what it is used for.
> >
> > _!SHMSFTHISTORY!_
>
> Why were you looking for it and how did you find it?
>
> > googling this mutex pulls back a ton of references to various
> > malware, backdoors, trojans, etc.
>
> The problem with with checking automatic analysis of executables for
> signs of malware is that creation or access of various Windows objects
> (like mutants in this example) are sometimes a side effect of running
> the executable. i.e. they are created by Windows components such as
> the shell document library (as appears to be the case here).
>
> > I have checked a couple of windows 7 x64 computers, including one
> > that was freshly installed and updated to sp1 about a week ago and i
> > see this mutex. additionally i found this mutex as well:
> >
> > _SHuassist.mtx
>
> Why that one as opposed to hundreds of others that may be present on
> the system?
>
> > does anyone know if there is a legitimate reason that a computer
> > would have the following mutexes or are they exclusively used by
> > malware?
>
> I can see no reason why malware would use them. They are used by
> programs like explorer.exe (the GUI), Internet Explorer and Outlook
> Express. Another one you might see is _!MSFTHISTORY!_ (without the
> "SH" part).
https://www.google.com/#q=_SHuassist.mtx
BTW i did not find any references to any legit programs using this, which is the reasoning for my question. if you can find a reference to a legit program using this, then please let me know.
Ant
Mar 10, 2015, 6:54:15 PM3/10/15
to
"jwf" wrote:
> On Monday, March 9, 2015 at 11:38:00 AM UTC-4, Ant wrote:
>> "jwf" wrote:
>>> found this on a windows 7 computer and cannot find anything saying
>>> what it is used for.
>>>
>>> _!SHMSFTHISTORY!_
>>
>> Why were you looking for it and how did you find it?
>
> found it in a memory image during forensics analysis
Ok.
> On Monday, March 9, 2015 at 11:38:00 AM UTC-4, Ant wrote:
>> "jwf" wrote:
>>> found this on a windows 7 computer and cannot find anything saying
>>> what it is used for.
>>>
>>> _!SHMSFTHISTORY!_
>>
>> Why were you looking for it and how did you find it?
>
> found it in a memory image during forensics analysis
[snip]
>> I can see no reason why malware would use them. They are used by
>> programs like explorer.exe (the GUI), Internet Explorer and Outlook
>> Express. Another one you might see is _!MSFTHISTORY!_ (without the
>> "SH" part).
>
> https://www.google.com/#q=_!SHMSFTHISTORY!_
> https://www.google.com/#q=_SHuassist.mtx
based my comments about false positives on (when I mentioned side
effects)? All these results are hits from automatic analysis of
malware samples even when they appear not to be. That is quite obvious
to me as a malware researcher of some experience.
> BTW i did not find any references to any legit programs using this,
part of the internals of the Windows user interface, are undocumented
and not much use for anything else.
> which is the reasoning for my question. if you can find a reference
> to a legit program using this, then please let me know.
(look at the OS itself rather than Google). As I implied previously,
the malware references are red herrings and are caused by user
interface functions being called during the normal operation of the
executable. Note, malware may not display a user interface even when
written to run under the GUI subsystem as most are.
To be specific:
_!SHMSFTHISTORY!_ (shell microsoft history?)
Set/checked by shdocvw.dll "Shell Doc Object and Control Library"
_SHuassist.mtx (shell user assist mutex?)
Set/checked by browseui.dll "Shell Browser UI Library"
Both these DLLs are part of the OS and the mutexes get created when
certain shell functions to do with accessing the file system or the
web are called (I've made educated guesses as to the meaning of the
names). This is on XP and I doubt much has changed on Win 7. Any
programs legitimate or otherwise that make particular API calls will
cause the creation of these mutexes (MS calls them mutants).
0 new messages